From 555208ae092b808d9bd5008468537bc3f5bdd743 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 11:19:35 -0800 Subject: [PATCH 1/7] nixos/certmgr: fix eval --- nixos/modules/services/security/certmgr.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix index 4a156539b4384..84f17bf87d512 100644 --- a/nixos/modules/services/security/certmgr.nix +++ b/nixos/modules/services/security/certmgr.nix @@ -130,7 +130,7 @@ in type = addCheck str ( x: cfg.svcManager == "command" - || elem x [ + || lib.elem x [ "restart" "reload" "nop" From ef596173f89fb0af8864074cbfd8816c1e056e4b Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 11:19:50 -0800 Subject: [PATCH 2/7] nixos/cfssl: fix eval --- nixos/modules/services/security/cfssl.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix index 574649de75a9d..2d0465d6a0b89 100644 --- a/nixos/modules/services/security/cfssl.nix +++ b/nixos/modules/services/security/cfssl.nix @@ -193,7 +193,7 @@ in ExecStart = with cfg; let - opt = n: v: optionalString (v != null) ''-${n}="${v}"''; + opt = n: v: lib.optionalString (v != null) ''-${n}="${v}"''; in lib.concatStringsSep " \\\n" [ "${pkgs.cfssl}/bin/cfssl serve" From b7090b32162a825ea89192ac461972689a18f1c1 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 11:22:38 -0800 Subject: [PATCH 3/7] nixos/cloud-init: fix eval --- nixos/modules/services/system/cloud-init.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix index cf8585dc90bb3..372fa8aac8045 100644 --- a/nixos/modules/services/system/cloud-init.nix +++ b/nixos/modules/services/system/cloud-init.nix @@ -17,9 +17,9 @@ let util-linux busybox ] - ++ optional cfg.btrfs.enable btrfs-progs - ++ optional cfg.ext4.enable e2fsprogs - ++ optional cfg.xfs.enable xfsprogs + ++ lib.optional cfg.btrfs.enable btrfs-progs + ++ lib.optional cfg.ext4.enable e2fsprogs + ++ lib.optional cfg.xfs.enable xfsprogs ++ cfg.extraPackages; hasFs = fsName: lib.any (fs: fs.fsType == fsName) (lib.attrValues config.fileSystems); settingsFormat = pkgs.formats.yaml { }; From 92ef45ef1103e013de395d6260bda436abec07ee Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 11:59:40 -0800 Subject: [PATCH 4/7] nixos/endlessh: fix eval --- nixos/modules/services/security/endlessh.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/security/endlessh.nix b/nixos/modules/services/security/endlessh.nix index cac6de5c3cf36..cd5b9c5c82547 100644 --- a/nixos/modules/services/security/endlessh.nix +++ b/nixos/modules/services/security/endlessh.nix @@ -60,7 +60,7 @@ in Restart = "always"; ExecStart = with cfg; - concatStringsSep " " ( + lib.concatStringsSep " " ( [ "${pkgs.endlessh}/bin/endlessh" "-p ${toString port}" @@ -109,7 +109,7 @@ in }; }; - networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ]; + networking.firewall.allowedTCPPorts = with cfg; lib.optionals openFirewall [ port ]; }; meta.maintainers = with lib.maintainers; [ azahi ]; From 18765d044a50ad46192212355ee492bb0b014152 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 12:09:53 -0800 Subject: [PATCH 5/7] nixos/tor: fix eval Resolves #369847 --- nixos/modules/services/security/tor.nix | 65 ++++++++++++------------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 0d4d4c88be746..6c1554e60cafc 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -5,7 +5,6 @@ pkgs, ... }: -with builtins; let cfg = config.services.tor; opt = options.services.tor; @@ -15,7 +14,7 @@ let See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en#${option}). ''; bindsPrivilegedPort = - any + lib.any ( p0: let @@ -25,7 +24,7 @@ let false else let - p2 = if isInt p1 then p1 else toInt p1; + p2 = if lib.isInt p1 then p1 else lib.toInt p1; in p1 != null && 0 < p2 && p2 < 1024 ) @@ -197,7 +196,7 @@ let config = lib.mkIf doConfig { # Only add flags in SOCKSPort to avoid duplicates flags = - filter (name: config.${name} == true) flags + lib.filter (name: config.${name} == true) flags ++ lib.optional (config.SessionGroup != null) "SessionGroup=${toString config.SessionGroup}"; }; } @@ -272,16 +271,16 @@ let k: v: if v == null then "" - else if isBool v then + else if lib.isBool v then (if v then "1" else "0") else if v ? "unix" && v.unix != null then - "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags) + "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags) else if v ? "port" && v.port != null then lib.optionalString (v ? "addr" && v.addr != null) "${v.addr}:" + toString v.port - + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags) + + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags) else if k == "ServerTransportPlugin" then - lib.optionalString (v.transports != [ ]) "${concatStringsSep "," v.transports} exec ${v.exec}" + lib.optionalString (v.transports != [ ]) "${lib.concatStringsSep "," v.transports} exec ${v.exec}" else if k == "HidServAuth" then v.onion + " " + v.auth else @@ -298,7 +297,7 @@ let k: v: # Not necesssary, but prettier rendering if - elem k [ + lib.elem k [ "AutomapHostsSuffixes" "DirPolicy" "ExitPolicy" @@ -306,7 +305,7 @@ let ] && v != [ ] then - concatStringsSep "," v + lib.concatStringsSep "," v else v ) (lib.filterAttrs (k: v: !(v == null || v == "")) settings) @@ -750,7 +749,7 @@ in ]); apply = map ( v: - if isInt v then + if lib.isInt v then { port = v; target = null; @@ -816,7 +815,7 @@ in settings.HiddenServiceVersion = config.version; settings.HiddenServiceAuthorizeClient = if config.authorizeClient != null then - config.authorizeClient.authType + " " + concatStringsSep "," config.authorizeClient.clientNames + config.authorizeClient.authType + " " + lib.concatStringsSep "," config.authorizeClient.clientNames else null; settings.HiddenServicePort = map ( @@ -998,7 +997,7 @@ in } )) ]); - apply = p: if isInt p || isString p then { port = p; } else p; + apply = p: if lib.isInt p || lib.isString p then { port = p; } else p; }; options.ExtORPortCookieAuthFile = optionPath "ExtORPortCookieAuthFile"; options.ExtORPortCookieAuthFileGroupReadable = optionBool "ExtORPortCookieAuthFileGroupReadable"; @@ -1198,17 +1197,17 @@ in lib.mapAttrsToList ( n: o: lib.optionals (o.settings.HiddenServiceVersion == 2) [ - (optional (o.settings.HiddenServiceExportCircuitID != null) '' + (lib.optional (o.settings.HiddenServiceExportCircuitID != null) '' HiddenServiceExportCircuitID is used in the HiddenService: ${n} but this option is only for v3 hidden services. '') ] ++ lib.optionals (o.settings.HiddenServiceVersion != 2) [ - (optional (o.settings.HiddenServiceAuthorizeClient != null) '' + (lib.optional (o.settings.HiddenServiceAuthorizeClient != null) '' HiddenServiceAuthorizeClient is used in the HiddenService: ${n} but this option is only for v2 hidden services. '') - (optional (o.settings.RendPostPeriod != null) '' + (lib.optional (o.settings.RendPostPeriod != null) '' RendPostPeriod is used in the HiddenService: ${n} but this option is only for v2 hidden services. '') @@ -1245,7 +1244,7 @@ in } // lib.optionalAttrs - (elem cfg.relay.role [ + (lib.elem cfg.relay.role [ "bridge" "private-bridge" ]) @@ -1307,13 +1306,13 @@ in networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = - concatMap + lib.concatMap ( o: - if isInt o && o > 0 then + if lib.isInt o && o > 0 then [ o ] else - lib.optionals (o ? "port" && isInt o.port && o.port > 0) [ o.port ] + lib.optionals (o ? "port" && lib.isInt o.port && o.port > 0) [ o.port ] ) ( lib.flatten [ @@ -1341,40 +1340,40 @@ in ( "+" + pkgs.writeShellScript "ExecStartPre" ( - concatStringsSep "\n" ( + lib.concatStringsSep "\n" ( lib.flatten ( [ "set -eu" ] ++ lib.mapAttrsToList ( name: onion: lib.optional (onion.authorizedClients != [ ]) '' - rm -rf ${escapeShellArg onion.path}/authorized_clients - install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} ${escapeShellArg onion.path}/authorized_clients + rm -rf ${lib.escapeShellArg onion.path}/authorized_clients + install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path} ${lib.escapeShellArg onion.path}/authorized_clients '' - ++ imap0 (i: pubKey: '' + ++ lib.imap0 (i: pubKey: '' echo ${pubKey} | - install -o tor -g tor -m 0400 /dev/stdin ${escapeShellArg onion.path}/authorized_clients/${toString i}.auth + install -o tor -g tor -m 0400 /dev/stdin ${lib.escapeShellArg onion.path}/authorized_clients/${toString i}.auth '') onion.authorizedClients ++ lib.optional (onion.secretKey != null) '' - install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} - key="$(cut -f1 -d: ${escapeShellArg onion.secretKey} | head -1)" + install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path} + key="$(cut -f1 -d: ${lib.escapeShellArg onion.secretKey} | head -1)" case "$key" in ("== ed25519v"*"-secret") - install -o tor -g tor -m 0400 ${escapeShellArg onion.secretKey} ${escapeShellArg onion.path}/hs_ed25519_secret_key;; + install -o tor -g tor -m 0400 ${lib.escapeShellArg onion.secretKey} ${lib.escapeShellArg onion.path}/hs_ed25519_secret_key;; (*) echo >&2 "NixOS does not (yet) support secret key type for onion: ${name}"; exit 1;; esac '' ) cfg.relay.onionServices ++ lib.mapAttrsToList ( name: onion: - imap0 ( + lib.imap0 ( i: prvKeyPath: let - hostname = removeSuffix ".onion" name; + hostname = lib.removeSuffix ".onion" name; in '' - printf "%s:" ${escapeShellArg hostname} | cat - ${escapeShellArg prvKeyPath} | + printf "%s:" ${lib.escapeShellArg hostname} | cat - ${lib.escapeShellArg prvKeyPath} | install -o tor -g tor -m 0700 /dev/stdin \ - ${runDir}/ClientOnionAuthDir/${escapeShellArg hostname}.${toString i}.auth_private + ${runDir}/ClientOnionAuthDir/${lib.escapeShellArg hostname}.${toString i}.auth_private '' ) onion.clientAuthorizations ) cfg.client.onionServices @@ -1417,7 +1416,7 @@ in BindPaths = [ stateDir ]; BindReadOnlyPaths = [ - storeDir + builtins.storeDir "/etc" ] ++ lib.optionals config.services.resolved.enable [ From 7bb552f178ab6def1248a49619137f1a13a49a4c Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 12:13:36 -0800 Subject: [PATCH 6/7] nixos/magnetico: fix eval --- nixos/modules/services/torrent/magnetico.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index 51a4dc4c715fe..b62613eccdf7f 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -15,7 +15,7 @@ let credentialsFile else pkgs.writeText "magnetico-credentials" ( - concatStrings (mapAttrsToList (user: hash: "${user}:${hash}\n") cfg.web.credentials) + lib.concatStrings (lib.mapAttrsToList (user: hash: "${user}:${hash}\n") cfg.web.credentials) ); # default options in magneticod/main.go @@ -28,7 +28,7 @@ let crawlerArgs = with cfg.crawler; - escapeShellArgs ( + lib.escapeShellArgs ( [ "--database=${dbURI}" "--indexer-addr=${address}:${toString port}" @@ -40,7 +40,7 @@ let webArgs = with cfg.web; - escapeShellArgs ( + lib.escapeShellArgs ( [ "--database=${dbURI}" ( From c0f2a3cc206838ccf27a98ddf3bd845cdc1509f9 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Wed, 1 Jan 2025 12:18:39 -0800 Subject: [PATCH 7/7] nixos/endlessh-go: fix eval --- nixos/modules/services/security/endlessh-go.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/security/endlessh-go.nix b/nixos/modules/services/security/endlessh-go.nix index a44652e8afd8d..b8b51acc81d0e 100644 --- a/nixos/modules/services/security/endlessh-go.nix +++ b/nixos/modules/services/security/endlessh-go.nix @@ -94,14 +94,14 @@ in Restart = "always"; ExecStart = with cfg; - concatStringsSep " " ( + lib.concatStringsSep " " ( [ (lib.getExe cfg.package) "-logtostderr" "-host=${listenAddress}" "-port=${toString port}" ] - ++ optionals prometheus.enable [ + ++ lib.optionals prometheus.enable [ "-enable_prometheus" "-prometheus_host=${prometheus.listenAddress}" "-prometheus_port=${toString prometheus.port}" @@ -149,7 +149,7 @@ in }; }; - networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ]; + networking.firewall.allowedTCPPorts = with cfg; lib.optionals openFirewall [ port ]; }; meta.maintainers = with lib.maintainers; [ azahi ];